Академический Документы
Профессиональный Документы
Культура Документы
No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of APConnections, Inc.
www.netequalizer.com Page 1 of 52
User Guide
Table of Contents
Where to Install NetEqualizer ............................................................................ Setting your Trunk Size .................................................................................... Equalizing (Default Mode) ................................................................................. Modifying Equalizing Parameters ......................................................................... 3 4 5 7
Using the RATIO Parameter to Influence Default Mode ......................................................... 7 Parameters to Adjust Equalizing Sensitivity ...................................................................... 7 Parameters to Size Internal Tables ................................................................................. 9 Viewing your Parameter Settings ................................................................................. 10
Tips and Tricks ............................................................................................. 35 Appendix 1- Parameter Settings, Units, and Defaults ................................................ 38 Appendix 2 - Setting/Forcing LAN Speeds and Duplex ............................................... 39 Appendix 3 - Tuning Hard Limit, VLAN, and Pool Sensitivity ........................................ 41 Appendix 4 - Packet Capturing for taps such as CALEA .............................................. 43 Appendix 5 - Network Access Control (NAC) ........................................................... 45 Appendix 6 - NetEqualizer User-Quota API (NUQ API) Programmer's Toolkit ...................... 48
www.netequalizer.com Page 2 of 52
User Guide
Thank you for purchasing a NetEqualizer. You are now on your way to achieving "Faster Networks, With Zero Maintenance, At The Best Prices". Using NetEqualizer in default factory mode will take care of almost all network congestion and priority traffic flow requirements, and is the recommended operational mode for most customers. However, NetEqualizer also offers a wide range of bandwidth control options, while at the same time allowing you to keep it simple. NetEqualizer Quick Start Guide To perform your initial installation, you should reference the NetEqualizer Quick Start Guide. This contains the basic setup details and minimal settings required to get you up and running. A hard copy is included in your shipping box. We also email a PDF copy with your shipping confirmation email. Note: The NetEqualizer Quick Start Guide is a step-by-step instruction manual. NetEqualizer User Guide The NetEqualizer User Guide is intended to walk through NetEqualizer features in more detail than our NetEqualizer Quick Start Guide. It also includes appendices describing our add-on modules. Once up and running, it is a good idea to review this entire NetEqualizer User Guide, to become familiar with all of the advanced features available to you. Note: The NetEqualizer User Guide is not a step-by-step instruction manual. For Additional Help Should you need further assistance setting up your NetEqualizer, please call our Support Team at 303.997.1300 x102 or email support@apconnections.net. If you purchased through an authorized distributor or reseller, check with them first to determine if they support you directly.
www.netequalizer.com Page 3 of 52
User Guide
Setting your Trunk Size
NetEqualizer allows for different speeds for outbound and inbound links. The parameters are TRUNK_UP (outbound) and TRUNK_DOWN (inbound). These parameters are set in bytes/per second, and are used by the NetEqualizer so it can react and take action when your trunk is at capacity. From the Web GUI Main Menu, Click on ->Parameters->Modify parameters In the table displayed on the screen, you should see TRUNK_UP and TRUNK_DOWN Set TRUNK_UP and TRUNK_DOWN to the match your network capacity. Set these parameters to the size of your network pipe for outbound traffic (TRUNK_UP) and inbound traffic (TRUNK_DOWN). We use these parameters to determine when to start Equalizing. Making either of these parameters larger than your actual trunk size will make the shaping rules less restrictive. Making them smaller than your actual trunk size will make them more restrictive. Note: TRUNK_UP and TRUNK_DOWN do not enforce the link speed from your provider. We assume your provider has already enforced your contracted speed. You need to stop and restart the NetEqualizer process for changes to take effect after changing your Trunk Size. From the Web GUI Main Menu, Click on ->Miscellaneous->Stop NetEq, then Click on Miscellaneous->Start NetEq
www.netequalizer.com Page 4 of 52
User Guide
Equalizing (Default Mode)
Equalizing is a simple concept. It is the art form of looking at the usage patterns (aka traffic behaviors) on the network, and then when things get congested, robbing from the rich to give to the poor. Rather than writing hundreds of rules to specify allocations to specific traffic as in traditional application shaping, you can simply assume that large downloads are bad, short quick traffic is good, and be done with it. This behavior-based approach usually mirrors what you would end up doing if you could see and identify all of the traffic on your network, but doesnt require the labor and cost of classifying everything. Applications such as web surfing, instant messaging (IM), short downloads, and VoIP all naturally receive higher priority, while large downloads and p2p receive lower priority. This behavior-based shaping also does not need to be updated constantly as applications change. Once equalizing is in place, it automatically shapes your network when it is congested, using algorithms to implement "fairness". The concept of fairness enables your network to continue providing quick response times to the majority of your users while restricting the network hogs. Low bandwidth users do not have to share the pain of a slow, congested network with the network-hogging applications. Equalizing does this by using our proprietary algorithms to implement fairness. First, equalizing tracks how much bandwidth is being used. If bandwidth used is over a predefined level, the network is considered congested. Once the network is considered congested, equalizing looks at every connection (IP address pair) and puts a PENALTY on those that are over a predefined level. This process continues until network congestion eases. NetEqualizer is the only tool on the market to offer bandwidth shaping in these 3 modes: Equalizing. Default Rules only (simplest) Default Rules = on. Custom Rules have not been defined. Balances your traffic all the time giving priority to short, bursty-type traffic such as web surfing, chat sessions, VoIP, and e-mail. Default Rules & Custom Rules (most customized) Default Rules = on. Custom rules have been defined. A combination of custom rules, such as hard limits by VLAN, Pools, IP address, subnet, or MAC address, with the safety valve of Default Rules on in the background. Custom Rules only (not recommended) Default Rules = off. Custom Rules have been defined. Equalizing is not used in this mode, as the Default Rules are off. Traffic is not being balanced. Control is by custom rules only, such as hard limits by VLAN, Pools, IP address, subnet, or MAC address. NetEqualizer comes configured to automatically start up with Equalizing turned on (aka "default mode"). Default Mode enables the network to deliver traffic equalizing for the
APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.
www.netequalizer.com Page 5 of 52
User Guide
most common situations, without the need for expertise in complex traffic shaping rules. You can check if you are in currently in Default Mode. From the Web GUI Main Menu, Click on ->Miscellaneous->Show NetEq Config In the configuration displayed on the screen, you should see DEFAULT_RULES = on Once NetEqualizer is installed and running, a review of the Standard Log File will allow you to monitor and analyze how NetEqualizer is responding to your networks traffic. From the Web GUI Main Menu, Click on ->Reports & Graphing->Show the log Applying Penalties When your network is experiencing moderate to heavy use, you will see entries containing the word PENALTY followed by two IP addresses in the log. PENALTY indicates that NetEqualizers built-in fairness rules have determined that the communication link between these two IP addresses (a connection) is using too much bandwidth, so NetEqualizer has issued a penalty against this connection. The penalty causes all data on that connection to slow down. At periodic intervals, if NetEqualizer determines that this connection is still using too much bandwidth, it will increase the delay on the connection. The PENALTY will be removed in a few seconds should the congestion on your Network subside. NetEqualizer bases its decision to issue penalties based on built-in fairness rules: The persistence of the user's connections. We look at the length of time the connections have been live. The longer the time, the more likely a penalty. The amount of bandwidth used relative to the total size of the trunk. The number of users on the trunk. The more users active on the trunk, the less bandwidth NetEqualizer will allow per user before issuing a penalty. Is the overall trunk saturated? A trunk is saturated when it reaches the percentage defined by the RATIO parameter (default RATIO = 85%). Equalizing and Peer-to-Peer Traffic In addition to our fairness rules, NetEqualizer offers Connection Limits as a way to handle peer-to-peer (P2P) traffic. As P2P traffic may be short, bursty-type traffic, another mechanism is needed to control it adequately. Connection Limits enable you to define how many connections each user on your network can open. This will cut down P2P, which tries to open 100's to 1000's of connections on your network. We believe this mechanism to be superior to managing policy files of known P2P traffic types (which will not help with encrypted P2P in any case). Both encrypted and unencrypted P2P traffic are Connection Limited. This is described in more detail in Setting Connection Limits.
www.netequalizer.com Page 6 of 52
User Guide
Modifying Equalizing Parameters
Each equalizing parameter is discussed in detail below. For a summary of all equalizing parameters, please see Appendix 1, which contains a one-page cheat sheet with the default settings and recommendations.
User Guide
In the table displayed on the screen, you can modify the following parameters to adjust equalizing sensitivity: TRUNK_UP and TRUNK_DOWN (units are bytes/per second, Default = T1) Set these parameters to the size of your network pipe for outbound traffic (TRUNK_UP) and inbound traffic (TRUNK_DOWN). Making either of these parameters larger than your actual trunk size will make the shaping rules less restrictive. Making them smaller than your actual trunk size will make them more restrictive. Alternatively, you can reduce RATIO to make shaping rules more restrictive. From the Web GUI Main Menu, Click on ->Parameters->Modify parameters In the table displayed on the screen, you should see TRUNK_UP & TRUNK_DOWN You need to stop and restart the NetEqualizer process for changes to take effect after changing your Trunk Size. From the Web GUI Main Menu, Click on ->Miscellaneous->Stop NetEq then Miscellaneous->Start NetEq PENALTY_UNIT (units are 100ths of seconds, Default = 5) PENALTY_UNIT is the unit of time that NetEqualizer will start with when delaying a packet of Internet data. It iteratively increases penalties by this value should a hog not respond to the initial penalty. By increasing the size of this parameter, the NetEqualizer will scale back hogs more quickly. Note that the higher your network speed, the more sensitive it is to PENALTY_UNIT. The default value of 5 will work fine on any network, but if you see the NetEqualizer slowing streams too severely, you may want to reduce this value. Here are some recommended settings for PENALTY_UNIT, based on network size: Network Size < 5Mbps >= 5Mbps to 45Mbps * >= 45Mbps PENALTY_UNIT 5 or 6 2 or 3 1
* Networks much larger than 45 megabits may require a PENALTY UNIT resolution smaller than 100ths of seconds. In the NetEqualizer Web GUI, the smallest penalty that can be applied to an IP Packet is 1/100 of a second. If you are finding that a default PENALTY of 1 is putting too much latency on your connections then you can adjust the PENALTY unit to 1/1000 of second with the following command: From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command Type in: /bridge/bridge-utils/brctl/brctl rembrain my 99999 MAX_PENALTY (units are 100ths of seconds, Default = 140) This is the maximum delay that NetEqualizer will allow. NetEqualizer increments a delay by the value of PENALTY_UNIT every few seconds in the event a connection continues to use excessive bandwidth, until MAX_PENALTY is reached. A MAX_PENALTY of 200 (2 seconds) usually kills the connection altogether, as most servers on the Internet give up communicating when communications lag for more than two seconds. www.netequalizer.com Page 8 of 52
User Guide
HOGMIN (units are bytes per second, Default = 12,000) HOGMIN defines the minimum traffic level for which connections will not be penalized. In other words, a connection using less bandwidth in bytes per second than this number will never get penalized. The default value of 12,000 bytes per second (96kbs) will ensure that most VoIP traffic is never accidentally throttled back when NetEqualizer reaches a congestion threshold, as VOIP will be below HOGMIN. With larger network pipes, you may want to raise HOGMIN to allow more traffic types to pass without being penalized. Here are some recommended settings for HOGMIN, based on network size: Network Size < 100Mbps >= 100Mbps to 1Gbps * >= 1Gbps HOGMIN 12,000 20,000 40,000
HOGMAX (units are bytes per second, Default = 1,000,000) Legacy variable (no longer visible on the latest NetEqualizer Web GUI) but it must be larger than HOGMIN at all times. Note: If you manually edit the NetEqualizer configuration file, you will see HOGMAX in the configuration. Please keep it set to its default value of 1,000,000. MOVING_AVG (units are seconds, Default = 8) MOVING_AVG keeps NetEqualizer from penalizing short bursts of activity. For example, if this variable is set to 8 and the network is hit with a burst of 8000 bytes over a second from an IP address, the moving average for the second would be 8000/8 or 1000 bytes. If the burst persisted for four seconds, the average would be 32000/8 or 4000 bytes. The larger this number, the longer a burst can be before it gets penalized. Note that if this parameter is set too high, nothing will ever get penalized. The preset value for MOVING_AVG from our factory-delivered NetEqualizer is designed to handle any size network and need not be changed. ANCIENT (units are seconds, Default = 20) How long to keep a penalty in effect, in seconds. The preset value for ANCIENT from our factory-delivered NetEqualizer is designed to handle any size network and need not be changed.
www.netequalizer.com Page 9 of 52
User Guide
BRAIN_SIZE (# of connections to track in 1 second, Default=10,000) BRAIN_SIZE determines how many connections NetEqualizer watches at one time. NetEqualizer keeps a mini-history of the activity of all users on a trunk. It uses this database to make decisions on who is using too much bandwidth. Here are some recommended settings for BRAIN_SIZE, based on network size: Network Size < 1Gps >= 1Gbps to 5Gbps * >= 5Gbps BRAIN_SIZE 10,000 20,000 30,000
Note: NetEqualizer can handle up 2 million or more connections every minute. We point this out as many customers compare our connection ability with that of their Router, which uses a timeframe of minutes. To see the contents of the Connection Table From the Web GUI Main Menu, Click on ->Reports & Graphing->Active Connections BUFFERS (no longer on Web GUI, Default = 900) Legacy variable (no longer visible on the latest NetEqualizer Web GUI). BUFFERS controls the number of connections that can simultaneously be penalized (slowed down). When NetEqualizer sets a penalty on a connection, it assigns a delay buffer to this connection to slow it down. NetEqualizer reserves a finite number of delay buffers when it powers up. The preset value for BUFFERS from our factory-delivered NetEqualizer is designed to handle any size network and need not be changed. Note: If you manually edit the NetEqualizer configuration file, you will see BUFFERS in the configuration. Please keep it set to its default value of 900.
INACTIVE_TICS (units are hundredths of seconds, Default = 200) This is how long an entry in the BRAIN_TABLE will live before being removed if no activity is detected. Generally we are not interested in connections that are idle. For example, a value of 200 for this parameter instructs the NetEqualizer to cancel tracking a connection after 2 seconds.
www.netequalizer.com Page 10 of 52
User Guide
Bandwidth Rules: Priority and Limits
NetEqualizer's default equalizing rules (default mode) are able to handle congestionrelated traffic flow problems for most organizations. Most types of traffic that organizations want to prioritize are prioritized by default just by using the default equalizing rules. However, some organizations need to setup Bandwidth Rules for specific traffic types, either to change their priority or to limit their bandwidth usage. NetEqualizer supports two types of Bandwidth Rules: Bandwidth Priority Rules Gives known IP addresses and their associated streams preferential treatment. Bandwidth Priority Rules are most often used for video traffic. For example, if a business is streaming training videos into corporate offices, a "Priority Host" Rule would need to be set up to prioritize the IP address of the server or site hosting the training videos. Bandwidth Limiting Rules Limits the amount of bandwidth a specific IP address or set of IP addresses can use. Typically used to carve out maximum bandwidth usages for a particular subscriber base. For example, a college network administrator may want to set up separate bandwidth usage categories with separate bandwidth limits for each of three subnets: 1) students, 2) faculty, and 3) administrators. This would be accomplished by using the "Pools" Bandwidth Limiting Rule, which can be used to set up three separate pools, each with their own bandwidth limit: Pool1 = students 2Mbps up/1Mbps down Pool2 = faculty 5Mbps up/2Mbps down Pool3 = administrators 3Mbps up/1.5Mbps down
www.netequalizer.com Page 11 of 52
User Guide
d. Priority traffic is given immunity to flow control. These streams will not be slowed by PENALTIES applied in Equalizing (Default Mode). However, any Bandwidth Limiting Rules, such as Hard Limits, will remain in effect.
Connection Limits control the number of inbound and outbound data streams (IP pairs or "connections") that each user on your network can create. Connection Limits are bi-directional; any limit you set is divided in two and applied. For example, a Connection Limit of sixty (60) would be turned into two connection limits: thirty (30) inbound and thirty (30) outbound connections.
APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.
www.netequalizer.com Page 12 of 52
User Guide
There are more reasons for system administrators to limit connections to a server than we can possibly include in this discussion. The APconnections design team developed this feature within NetEqualizer to lessen the affects of Peer-to-Peer traffic (P2P) and Denial of Service (DoS) attacks, which we will discuss here. Peer-to-Peer traffic attempts to create hundreds, or possibly thousands, of simultaneous connections to absorb a lot of your network bandwidth. Setting Connection Limits effectively blocks or reduces P2P by not allowing connections over the limit you specify. In a DoS attack, storms of incoming connections are generated by hackers with the intention of overwhelming a server or servers. An attacker will spoof requests, sending storms of erroneously addressed connection requests to your server. These request storms create overwhelming administrative overhead, crippling the server and requiring a reboot by IT staff. While there are techniques that attempt to validate the incoming requests by sending queries back to the sending IP address for verification, these approaches create more traffic on the network. Instead of this approach, we chose to address the issue by setting DoS protection via Connection Limits. NetEqualizer Connection Limits keep a total count of active connections (of any type) per IP address. Additional connections are dropped. Connection Limits can be set per individual IP or for an entire subnet at one time. To set up a Connection Limit From the Web GUI Main Menu, Click on ->Add Rules->Connection Limits To see your Connection Limits. From the Web GUI Main Menu, Click on ->Miscellaneous->Show NetEq config You will see something like the following: CONNECTION 10.1.1.11/32 30 0 There will be one row, encompassing both an inbound and outbound Connection Limit, listing half the value you selected (i.e. for VAL=60, you would see 30 in the row as above). The rows will start with "CONNECTION" and also show the IP address(es) that are being connection limited. Most normal users typically peak out at 10 to 15 connections per second each for INBOUND and OUTBOUND traffic, so a Connection Limit of 40 would suffice in most cases. Setting a Connection Limit = 40 is a good recommendation and excellent at controlling most Peer to Peer traffic. Note: If you have online gamers on your network, you may need to set your Connection Limit as high as sixty (60) to facilitate online game playing. Order is important in setting up Individual Connection Limits! If you set up Connection Limits for an entire subnet, and want to have a different Connection Limit apply to an IP address within that subnet, you would need to do the following: Set up Connection Limit for an individual IP address Set up Connection Limit for entire subnet /16, /24, or /32
www.netequalizer.com Page 13 of 52
User Guide
Typically this would be done if you had an e-mail or DNS server within the subnet range that might require additional connections during network operation. We recommend setting Connection Limits = 3,000 for email and DNS servers. To see your Active Connections From the Web GUI Main Menu, Click on ->Reports & Graphing->Active Connections You can also set up a Global Connection Limit on your network. This would set a connection limit to apply to all IP addresses. To set up a Global Connection Limit From the Web GUI Main Menu, Click on ->Add Rules->Global Connection Limit As with Individual Connection Limits, the Global Connection Limit will be set to half of this value for IN traffic and half for OUT traffic. Note: We recommend using Individual Connection Limits over a Global Connection Limit. This is due to the fact that the limit looks at both the source IP address and the destination IP address in determining a connection limit. While this is fine in many cases, this can have unforeseen consequences where an internet address is accessed at a great frequency. For example, if students on a network all access YouTube, and the broadcast IP address for youtube.com is the same, a Global Connection Limit would cause YouTube to be connection limited. Many students would not be able to access the YouTube website.
This command is used to set a fixed amount of individual bandwidth to a single IP address or an entire set of IP addresses specified by a subnet mask (all IP addresses in the subnet range will receive the specified hard limit). Hard limits can be set up for a Class B subnet, Class C subnet, or any legal subnet value 1-32. The bandwidth assigned is not shared. For example, if you set up a 2Mbps up/1Mbps down for four different IP addresses, each IP address will get 2Mbps/1Mbps to use. To set up a Hard Limit by IP From the Web GUI Main Menu, Click on ->Add Rules->Hard Limit by IP NetEqualizer allows up to 60 thousand (60,000) unique active Hard Limits. Notes: In version 4.7 and above, NetEqualizer supports "bursting" for your Hard Limits. See "Adding Bursting to Hard Limits" for details. Tips on fine tuning the behavior of HARD LIMITS can found in Appendix 3.
www.netequalizer.com Page 14 of 52
User Guide
Adding "Bursting" to Hard Limits
(back)
In addition to setting a Hard Limit by IP address, as of software update 4.7, we have enabled "bursting" above the Hard Limit. Prior to the bursting feature, the top speed allowed for each user was fixed at the set Hard Limit. Now with bursting, a user can be allowed a burst of bandwidth for up to 10 seconds at two, three, four, or any multiple of their base Hard Limit. For example, if a user has an incoming base Hard Limit of 2 megabits a second, and a burst factor of 4, then their inbound connection will be allowed to burst all the way up to 8 megabits for 10 seconds (2Mbps HARD LIMIT x 4 BURST FACTOR = 8Mbps inbound BURST LIMIT), at which time it will revert back to the original 2 megabits per second. If the outgoing base Hard Limit was set to 1 megabit per second, with the same burst factor, the outbound BURST LIMIT would be 4Mbps. This type of burst will be noticed when loading large Web pages loaded with graphics. From a user's perspective, they will essentially fly up in the browser at warp speed. In order to make bursting a special feature, it obviously cant be on all the time. For this reason, by default the NetEqualizer will force a user to wait 80 seconds before they can burst again. To set up Bursting on an IP Address From the Web GUI Main Menu, Click on ->Add Rules->Hard Limit by IP The last field in the command specifies the burst factor. Leave this field set to 1 for no bursting, or set to a multiple greater than 1 for bursting. BURST FACTOR is multiplied times the incoming and outgoing HARD LIMITs to arrive at the BURST LIMITs (default speed you wish to burst up to). For our example above 2Mbps incoming HARD LIMIT x 4 BURST FACTOR = 8Mbps inbound BURST LIMIT 1Mbps outgoing HARD LIMIT x 4 BURST FACTOR = 4Mbps outbound BURST LIMIT Note: Once bursting has been set-up, bursting on an IP address will start when that IP exceeds its rate limit (across all connections for that IP). The burst applies to all connections across the IP address. To remove Bursting on an IP Address You must remove the Hard Limit on the IP address and then recreate the Hard Limit by IP without bursting defined. From the Web GUI Main Menu, Click on ->Remove/Deactivate Rules Select the appropriate Hard Limit from the drop-down box. Click on ->Remove Rule To re-add the rule without bursting, from the Web GUI Main Menu, Click on ->Add Rules->Hard Limit by IP and leave the last field set to 1. There are two global burst parameters that apply to all bursting that you have setup. These are BURST DELAY, time between bursts, and BURST DURATION, how long a burst lasts. BURST DELAY is defaulted to 80 seconds. BURST DURATION is defaulted to 10 seconds.
www.netequalizer.com Page 15 of 52
User Guide
To change the global burst parameter defaults... From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command In the space provided you would type in the following command: /usr/sbin/brctl setburstparams my 40 30 (assuming you wanted the BURST DELAY to be 40 and BURST DURATION to be 30) The first parameter, BURST DELAY, is the time, in seconds, an IP must wait before it can burst again. If an IP has done a burst cycle it will be forced to wait this long in seconds before it can burst again. BURST DELAY is defaulted to 80 seconds. This means that an IP address will wait 80 seconds after its last burst duration completes before bursting again. The second parameter, BURST DURATION, is the time, in seconds, an IP will be allowed to burst before being relegated back to its base Hard Limit. Note: At this time, the global burst parameters are not persistent, meaning you will need to put a command in the startup file (autostart) if you want them to stick between re-boots. You need to add this line to the bottom of the autostart file. To edit the autostart file... From the Web GUI Main Menu, Click on ->Miscellaneous->Edit autostart Add the following line at the bottom of the autostart file to change your global burst parameter settings /usr/sbin/brctl/setburstparams my 40 30 Bursting and Speed Tests With the default settings of 10 second bursts and an 80 second time out before the next burst, it is unlikely a user will be able to see their full burst speed accurately with a speed test site. The easiest way would be to extend the burst time to minutes, instead of the default 10 seconds, and then run the speed test. With the default set at 10 seconds, the best way to see a burst in action is to take a continuous snap shot of an IPs consumption during an extended download. Note: Before you implement bursting, you may want to consider the downside of bursting. See our 2009 blog article on this subject.
A Bandwidth Pool is a collection of IP addresses that share a bandwidth allocation. Once IP addresses are contained within a bandwidth pool, the sum total of bandwidth for all the IP addresses will not be allowed to exceed more than the total bandwidth allocated to the bandwidth pool. For example, if four IP addresses are set in a pool, and the pool bandwidth is set at 1Mbps, then the total bandwidth for all four IPs is 1Mbps (the total, not per IP). Pools were added to NetEqualizer to accommodate cases where bandwidth is advertised and sold as "you are one of n customers sharing x bandwidth".
APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.
www.netequalizer.com Page 16 of 52
User Guide
Think of a pool as a "virtual NetEqualizer". You can group users into logical trunks by IP address and apply equalizing technology to each logical group (bandwidth pool). For the example above, equalizing will occur across the four IPs in the 1Mbps bandwidth pool. Equalizing is performed in the same fashion as across your entire network trunk, but in this case it equalizes within the bandwidth pool. When the total bandwidth threshold for that pool is reached, determined by the RATIO parameter, then any large connections (over HOGMIN) associated with IP addresses within the bandwidth pool will be penalized. Virtual equalizing was added for network topologies where bandwidth congestion is occurring at nodes in the network, not necessarily at the WAN/LAN connection. For example, this could be occurring in a wireless network where bandwidth congestion occurs at the wireless hotspots or in the backhaul connections. Individual bandwidth pools can be defined with the IPs of users at each hotspot and equalizing applied per hotspot. Another example would be using bandwidth pools to set up equalizing at the subnet level. For example, a university may split their network into faculty, administrators, and student subnets. Each of these subnets could be defined as a bandwidth pool, with separate upload/download speeds that are shared by all users in the pool. To set up a Bandwidth Pool From the Web GUI Main Menu, Click on ->Bandwidth Pools->Add Pool Large Bandwidth Pools (>=10Mbps) In software update 4.7 and above, pool limits were enhanced for Large Bandwidth Pools (a bandwidth pool >=10 Mbps). We smoothed our rate limits so that packets are slowed down progressively before dropping packets. In order to implement this feature, you will need to run a tuning command. Please see Appendix 3 for instructions on how to tune the NetEqualizer to handle Large Bandwidth Pools. Once a Bandwidth Pool is in the system, you can add and remove members To Add or Remove Members to a Bandwidth Pool From the Web GUI Main Menu, Click on ->Bandwidth Pools->Add Member or Remove Member Notes: 1) You can add individual IP addresses or entire subnets to Bandwidth Pools. 2) IP addresses within a Bandwidth Pool need not be contiguous. You can add members to a Bandwidth Pool in any order. 3) Bandwidth Pools cannot overlap with Hard Limits by IP. Once an IP address is in a Bandwidth Pool it may not also exist as an individual Hard Limit. You will get an error if you try to add an IP addresses to a Bandwidth Pool that already exists as a Hard Limit. 4) If you create a Priority Host IP address, and the IP address exists within a Bandwidth Pool, it will receive priority over other IP addresses within the pool. To view all current Bandwidth Pools on your systems From the Web GUI Main Menu, Click on ->Bandwidth Pools->View Pools To view all IP addresses assigned to Bandwidth Pools From the Web GUI Main Menu, Click on ->Bandwidth Pools->View Members www.netequalizer.com Page 17 of 52
User Guide
Then select the Pool # of the Bandwidth Pool in the dropdown box. To see Bandwidth Pools in the NetEqualizer Log file Bandwidth usage for defined bandwidth pools is reported every 20 seconds in the standard NetEqualizer Log. From the Web GUI Main Menu, Click on ->Reports & Graphing->Show the Log To remove a Bandwidth Pool From the Web GUI Main Menu, Click on ->Bandwidth Pools->Remove Pool Note: You do not need to remove all members from a Bandwidth Pool before you can remove it. You need to stop and restart the NetEqualizer process for changes to take effect after removing a bandwidth pool. From the Web GUI Main Menu, Click on ->Miscellaneous->Stop NetEq then Miscellaneous->Start NetEq The bandwidth restriction on a pool may fluctuate a bit depending on the type of traffic. Heavy use of UDP traffic tends to run over the limit, and heavy TCP/IP (FTP for example) will tend to be held below the limit. In NetEqualizer Software Update 4.5 and above, Bandwidth Pools can number from 1 to 300; up to 300 different bandwidth pools per NetEqualizer (for previous versions the number is limited to 40). Note: Tips on fine tuning the behavior of Bandwidth Pools can found in Appendix 3.
If you utilize VLANs on your network, you can set up your bandwidth limit rules to utilize your predefined VLANs. To set up a VLAN Hard Limit From the Web GUI Main Menu, Click on ->Add Rules->VLAN Hard Limit Select a VLAN id from 1 to 2000. Set the incoming bytes per second. Set the outgoing bytes per second. This will create a shaping rule and cause the NetEqualizer to enforce your rate limit such that the aggregate bandwidth usage of all current VLAN users will not exceed the values selected for incoming and outgoing bytes per second. In addition to enforcing the VLAN rate limits, the NetEqualizer will perform Equalizing across all users on the VLAN when Default Rules are on. This works similarly to Bandwidth Pools, in that "virtual equalizing" is applied across all users on a VLAN. For example, if you set the download limit on a specific VLAN to 192,000 bytes per second (T1) and the VLAN usage level reaches 85 percent, the NetEqualizer will begin to penalize any connection exceeding the value of HOGMIN within the VLAN.
www.netequalizer.com Page 18 of 52
User Guide
Large VLANs (>=10Mbps) In software update 4.7 and above, VLAN Limits were enhanced for Large VLANs (>=10 Mbps). We have smoothed our rate limits so that packets are slowed down progressively before dropping packets. In order to implement this feature, you will need to run a tuning command. Please see our write-up on how to do this in Appendix 3. Note: If you limit by VLAN, you should not set up Hard Limits by IP that cross over the same range of IP addresses.
MAC addresses are the unique identifiers of Ethernet cards on user or client machines. Usually the MAC address of an Ethernet card is printed on the card. When NetEqualizer shapes traffic by MAC address, it limits traffic to and from a specific host based on the MAC address located on the Ethernet card of the host. To set up a Hard Limit by MAC address From the Web GUI Main Menu, Click on ->Shape by MAC->Add MAC Limit Note: You also need to start MAC shaping, once all your Hard Limits by MAC address are in place. From the Web GUI Main Menu, Click on ->Shape by MAC->(Re)start MAC shaping To remove a Hard Limit by MAC address From the Web GUI Main Menu, Click on ->Shape by MAC->Remove MAC Limit Note: You also need to restart MAC shaping, once your removal is complete. From the Web GUI Main Menu, Click on ->Shape by MAC->(Re)start MAC shaping To view all of your Hard Limits by MAC address From the Web GUI Main Menu, Click on ->Shape by MAC->Show MAC Limits To stop hard limiting by MAC address From the Web GUI Main Menu, Click on ->Shape by MAC->Stop MAC shaping This command will turn off all your MAC Hard Limits. Note: We recommend using Hard Limits by IP address instead of shaping by MAC address. This is due to the fact that MAC addresses in many cases do not make it through Routers or Access Points. Most of the time you would only see the address of the Router or Access Point, which would not enable you to shape down to the user level on your network.
www.netequalizer.com Page 19 of 52
User Guide
Bandwidth Usage
Bandwidth Usage features encompass defining how much bandwidth to give a user over a specified time period (setting user quotas), how to handle unauthorized access attempts (MAC redirection), and ensuring that local network traffic is not equalized (masks). 1. Setting User Quotas 2. MAC Redirection 3. Masks - Define bandwidth usage limits for a time period. - Define authorized MACs on your network. - Local traffic hidden from NetEqualizer.
NetEqualizer software update 4.5 and above enables you to develop a system to enforce quota bandwidth limits for your customers, by tracking usage over time across an IP address or set of IP addresses. This functionality is provided via the NetEqualizer UserQuota API (NUQ API) Programmer's Toolkit. Other industry terms for this process include bandwidth allotment, and usage-based service. Background Prior to the 4.5 release, we provided a GUI-based user limit tool, but it was discontinued with release 4.0. The GUI tool did not have the flexibility for application development and was inadequate for customizations. The NetEqualizer User-Quota API (NUQ API) programmer's toolkit is our replacement for the GUI tool. The motivation for developing the toolkit was to allow ISPs, satellite providers, and other Internet management companies to customize their business processes around user limits. The NUQ API is a quick and easy way to string together a program of actions in unique ways to meet your needs. However, it does require basic programming/Linux skills.
Terms of Use
APconnections, the maker of the NetEqualizer, is an OEM manufacturer of a bandwidth shaper. The toolkit (see Appendix 6) provides short examples of how to use the NUQ API to get you started developing a system to enforce quota bandwidth limits for your customers. You are free to copy/paste and use our sample programs in the programmer's toolkit to your liking. However, NUQ-API questions and support are not covered in the normal setup of the NetEqualizer product (NSS) and must be negotiated separately. Please call 303.997.1300 x103 or email sales@apconnections.net to set up a support contract for the NUQ API programmer's toolkit. Once you have upgraded to version 4.5 and have purchased a current NSS, please contact APconnections for installation instructions. Once installed, you can find the tools available in the directory/art/quota. Starting the Quota Server In order to use the NUQ API programmer's toolkit, you must have the main quota server running.
www.netequalizer.com Page 20 of 52
User Guide
To start the quota server from the Linux command line From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command Then type: # /art/quota/quota & Once the quota main process is running, you can make requests using the command line API. The following API commands are available. To see an example of how to use these commands, please reference Appendix 6.
NUQ API Commands # /art/quota/quota & Use MUST BE RUN FIRST. To start the quota server from the NetEqualizer command line. quota_create
To start tracking data for a block (subnet) of IP addresses in a range. To remove a block of IP addresses from the quota system.
To set an alarm when an IP address reaches a defined limit. Alarm notifications will be reported in the log /tmp/quotalog. To remove all alarms in effect on the specified subnet. Will reset the usage counters for the specified subnet range To show the current usage byte count for the specified IPs in the range to the console. The usage counters must be initiated with quota_create command. Will also put usage statistics to the default log /tmp/quotalog. To display all current quota rules in effect. Used to set a Hard Limit on an IP address or set of IP addresses. This would be the normal response should a user exceed their quota. HARD is a constant that specified the type of operation. In this case, HARD indicates "hard limit".
quota_remove
Used to remove a Hard Limit on an IP address or set of IP addresses. Various status messages will get reported along with ALARMs and usage statistics
We will be adding more examples and features in the near future. Please e-mail support@apconnections.net with feature requests and bug reports on this tool.
MAC Redirection
(back)
MAC Redirection is used to define MAC addresses that are authorized to be on your network. Any undefined MAC address is considered unauthorized and will be either:
APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.
www.netequalizer.com Page 21 of 52
User Guide
1) "redirected" to a website of your choosing, or 2) dropped. To set up MAC redirection From the Web GUI Main Menu, Click on ->Shape by MAC->Setup MAC Redirect You need to add ALL authorized MAC addresses (the MAC addresses you wish to allow on your network). Make sure to include your DNS servers in the allowed list. To set up all authorized MAC addresses From the Web GUI Main Menu, Click on ->Shape by MAC->Add MAC to macs.allow Note: Each MAC and associated name or description must be unique. To remove a MAC address from your authorized list From the Web GUI Main Menu, Click on ->Shape by MAC->Remove MAC in macs.allow Any time you add or remove an authorized MAC address, you will need to restart the NetEqualizer Firewall for the change to take effect. From the Web GUI Main Menu, Click on ->Firewall->Start or Restart firewall At this point only the authorized MAC addresses will pass through the system, the rest will be blocked. When enabled, MAC redirection looks at the macs.allow file when an outgoing connection is made from your network out to the Internet. If the user has a browser active, and the MAC address is unauthorized, it will drop the connection, unless you have redirected their browser to a website of your choosing. To select the website to redirect to From the Web GUI Main Menu, Click on ->Firewall->Sample Firewall Rules You will find examples of setting up Redirection under this tab. Should you need assistance please call our Support Team at 303.997.1300 x102 or email support@apconnections.net. However, MAC Redirect questions and support are not covered in the normal setup of the NetEqualizer product (NSS) and must be negotiated separately. Redirection to a web site is typically done to inform unauthorized users how to subscribe to your network or who to contact about your network and its use. You can also elect to just drop all unauthorized MACs, instead of redirecting them.
The masking features on NetEqualizer are intended to exclude Local Traffic crossing the NetEqualizer link from being considered for any shaping decisions. Masked traffic is invisible to the NetEqualizer. If you are utilizing the NetEqualizer to shape Internet Traffic going across your link, you should use the MASK feature to exclude Local Traffic (i.e. a computer talking to a server on your network). Masking should not be used to prioritize traffic. Priority Hosts should be used to prioritize traffic, such as important video streams. Do not use the MASK feature. There are two types of masking, paired and absolute. A host or subnet assigned as a
APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.
www.netequalizer.com Page 22 of 52
User Guide
paired mask will only be ignored if it is talking to another host or subnet that is also registered as a paired mask. By design, a Paired Mask will cause NetEqualizer to ignore hosts talking to other paired mask hosts, while at the same time subject the same hosts to NetEqualizer's bandwidth shaping rules if they make a connection with a server on the Internet. Absolute Masks ignore all traffic to or from the masked host or subnet regardless of the connection. To set up a Paired or Absolute Mask From the Web GUI Main Menu, Click on ->Add Rules->Mask Masks can be set for an individual IP address, an entire subnet, or any legal subnet value 1-32. Note: In most cases, you will not need to use masking. NetEqualizer is typically setup on your Internet link, and does not see Local Traffic.
www.netequalizer.com Page 23 of 52
User Guide
Monitoring and Reporting
NetEqualizer provides both real-time and historical reporting, in tabular and graphical formats. This enables you to see data in a format that is most meaningful to you, over a variety of timeframes. Real-time reporting enables you to see what is going on in your network at this moment, in order to actively monitor and manage your network usage. We offer several reports that provide real-time visibility: 1) Instantaneous Bandwidth Usage, 2) Active Connections, 3) the NetEqualizer Log, and 4) Show MAC address for active IPs. Historical reporting provides you a view into the trends of bandwidth usage on your network across time. This can help you in network design and planning activities, as well as to determine if your bandwidth level requirement is stable or increasing. Historical reporting is available via ntop, an open-source reporting tool that provides reports in both tabular and graphical formats. Note: You can store and view up to one (1) month of data on the NetEqualizer, if you are running version 4.5 or greater. To view additional history, you can set up a process to dump data periodically to a separate ntop server. Real-time Reporting 1. Instantaneous Bandwidth Usage - View bandwidth usage at this moment for a specified IP address. 2. To view Active Connections - View current live data streams (IP address pairs) on your network. 3. Show the NetEqualizer Log - View the NetEqualizer Log file. 4. Show MAC address for active IPs - View associated MAC address for active IP address connections. Historical Reporting 5. Graphical Reporting 6. NetEqualizer Data Warehouse 7. Sync with Internet Time - Use ntop (open source reporting tool) to generate graphs. Ntop is not available on the NETEQ-POE unit. - Create a periodic dump of NetEqualizer data to run ntop reporting for > 1 month of history - Change NetEqualizer to use NTP
Real-time Reporting
These reports are available to help you see what is going on in your network at the present moment.
www.netequalizer.com Page 24 of 52
User Guide
One of the things that we have noticed with reporting tools lately, including ntop (the reporting tool we integrate), is that there is no easy way to show instant bandwidth for a user. Most reporting tools smooth out usage over some time period, a 5 minute average is the norm. When is an Instant Bandwidth Reporting Tool useful? 1) The five minute average reporting tool is of little use when a customer calls and tells you they are not getting their expected bandwidth on a speed test or video. In these cases it is best to see the instant report while they are consuming the bandwidth, not averaged into a 5 minute aggregate. 2) If a customer has a fixed rate cap, and calls and reports that their VOIP is not working well. The easiest and quickest way is to check what their consumption is during a VOIP call is to see it now. You dont need a fancy protocol analyzer to tell them they are sucking up their full 1 megabit allocation with their file download specifically. You just need to know that their line is clear and that they are consuming the full megabit at this instant. To view instantaneous bandwidth From the Web GUI Main Menu, Click on >Reports & Graphing->Show Instant report You can run the command multiple times by typing in a value greater than 1.
Results will show last second usage in two lines: bandwidth down (inbound) and bandwidth up (outbound).
www.netequalizer.com Page 25 of 52
User Guide
To view all Active Connections
(back) Active Connections shows the data streams (pairs of IP addresses) that are currently live on your network. As the NetEqualizer is typically shaping an Internet connection, this will show all active Internet connections your NetEqualizer is currently seeing. You can utilize this report to see what data streams are "hogging" your network by looking at the Wavg value. Wavg values over HOGMIN will be equalized when your network is congested. To view all active internet connections From the Web GUI Main Menu, Click on ->Reports & Graphing->Active Connections Note in this example below that index #s 0-2, 22-24, and 26-28 are network hogs, as their Wavgs are quite large.
www.netequalizer.com Page 26 of 52
User Guide
The Active Connections Report contains the following fields: Field Header Definition
Index SRCP DSTP Wavg Avg IP1 IP2 Ptcl Port Pool Table row # The source port for this connection The destination port for this connection (the service being requested http, FTP, etc.) A weighted average of total bytes on this connection per second for the last eight seconds The average in bytes per second since this IP pair came into the table Source IP address Destination IP address The protocol (ICMP, TCP/IP, UDP) Inbound (value = 1) or Outbound (value = 0). Pool #. Default is 0 (no bandwidth pools set-up). Otherwise, bandwidth pool #. If you have VLANs set-up, this will show the VLAN #.
1) Traffic UP and DOWN Approximately every twenty seconds, the NetEqualizer Log will contain a date and time stamped entry for traffic UP (outbound) and traffic DOWN (inbound). This is instantaneous bytes per second of traffic in each direction flowing on your network. 2) PENALTY Entries A PENALTY entry means that NetEqualizer has decided that a communication link between two IP addresses (a connection) is using too much bandwidth, and so NetEqualizer has levied a PENALTY against this connection. The penalty causes all data on this connection to slow down by PENALTY_UNIT. If this connection continues to use too much bandwidth, NetEqualizer will increase the amount of this delay, up to your MAX_PENALTY.
www.netequalizer.com Page 27 of 52
User Guide
3) PENALTY THRESHOLD per Bandwidth Pool (informational only) The PENALTY THRESHOLD shows the threshold where penalties will occur, by bandwidth pool. If no bandwidth pools are defined, the default pool 0 (entire network trunk) will be displayed. When the trunk (or bandwidth pool) is not congested the Up and Down values are simply your defined trunk (bandwidth pool) size. When congestion is occurring, UP and DOWN are the values used to determine how much traffic a user (connection) has to pull to be eligible for a PENALTY. The smallest this value can be is HOGMIN. Note: PENALTY_THRESHOLD lines are NOT actual penalties being applied to your network. See #2, PENALTY entries, for actual penalties on your network. Sample NetEqualizer Log File Below is an example of a NetEqualizer Log File. Yours may differ slightly, depending on your NetEqualizer model. In this example, penalties are being taken off traffic where it says "PENALTY REMOVE". Penalties are being applied where it says "PENALTY". You may also see "INCREASE PENALTY" and "PENALTY DECREASE" in your log, which both show how penalties are being applied to traffic. If you are under RATIO on your network, you will not see penalties being applied. Note: The line with the words PENALTY THRESHOLD is NOT a penalty. It is for information purposes only.
www.netequalizer.com Page 28 of 52
User Guide
Show MAC address for Active IPs
(back) To view all active IP addresses and their associated MAC address. From the Web GUI Main Menu, Click on ->Reports & Graphing->Show Get MAC IP You will see a two column report Column #1: all active IP addresses in 0.0.0.0 format Column #2: associated MAC address 0.0.0.0.0.0 format The report shows MAC addresses for IP addresses that have current active connections on your network. It is not intended to be inclusive of all MAC addresses on your network.
Historical Reporting
These reports are available to help you to identify trends of bandwidth usage on your network across time.
Graphical Reporting
(back) The NE2000, NE3000, and NE4000 series all come configured to run ntop, an open source reporting tool that has excellent graphics and tables for generating detailed reports. If you are not familiar with ntop, and would like to learn more, you can read an overview on their website at http://www.ntop.org/overview.html. We are continuing to strengthen our reporting capabilities for the NetEqualizer 2000 series and above. In software update 4.5 and above, we significantly increased the RAM disk size used to run ntop reporting over what we used in previous releases. This will enable most users to keep 1 month or more of data locally on the RAM disk. You may be able to store even more history, depending on your network size and traffic level. This change also increases the lifespan of the Compact Flash (CF). If you are on an older version of the software, we highly recommend that you upgrade to 4.5 or above, to take advantage of running ntop in a RAM disk. To upgrade, contact our Support Team at 303.997.1300 x102 or email support@apconnections.net. Notes: For NetEqualizer units shipped prior to December 2005, additional memory must be added before using NTOP with an updated software version.
APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.
www.netequalizer.com Page 29 of 52
User Guide
The NetEqualizer Lite (NETEQ-POE) no longer offers ntop reporting. Due to the small form factor of the NetEqualizer Lite, we are unable to run ntop on a RAM disk. Starting ntop In order to use ntop reporting, you must first start ntop. From the Web GUI Main Menu, Click on >Reports & Graphing->Start ntop The following screen appears with "Starting ntop". Once ntop is started, you will see a final line "Done."
Note: If you run this command and ntop has already been started, the message on the screen will say "ntop is already running".
www.netequalizer.com Page 30 of 52
User Guide
You will see the following main ntop screen. Click on any of the menus to use ntop. Most useful for reporting are: 1) Summary Tab 2) IP Tab
1) ntop Summary Hosts Report (Summary Tab) This report shows all IP addresses and the bandwidth that they are consuming. Useful in identifying IP addresses that are your large bandwidth hogs.
www.netequalizer.com Page 31 of 52
User Guide
2) ntop Summary Traffic Report (Summary Tab) Good report for those that like to see charts depicting network traffic.
3) ntop IP Summary Traffic Report (IP Tab) Shows traffic by IP in amount of data (KB) and percentage of your overall network used. Quantifies type of traffic (http, ftp, proxy, snmp, Kazaa, Gnutella, etc.)
Ntop default Administrative Username & Password Please contact our Support Team at 303.997.1300 x102 or email support@apconnections.net if you feel that you need the administrative username and password for ntop . First, you need to understand several things before administering ntop: 1) There are a few hundred configuration options in ntop and its plug-in system. If you alter the settings, it is difficult to get back to our default setup. 2) The netflow and rrdPlugin plug-ins must both be running. 3) Do not setup your own devices in ntop. 4) Never toggle on DNS resolution within ntop or you run the risk of filling up your RAM disk.
www.netequalizer.com Page 32 of 52
User Guide
If you do get ntop in a state that you cannot resolve, then your best option to fix it is to get a new software image file, by contacting our Support Team at 303.997.1300 x102 or emailing support@apconnections.net. You will need to have purchased NSS for your unit. Stopping ntop We suggest stopping ntop when you are not using it. There is no reason to run it if you are not going to look at it but once a year. From the Web GUI Main Menu, Click on >Reports & Graphing>Stop ntop reports The following screen appears with "Stopping ntop". Once ntop is stopped, you will see a final line "Done." Resetting ntop data Resetting ntop data is used to clear your data out of RAM memory. From the Web GUI Main Menu, Click on ->Reports & Graphing->Reset ntop files Note: You do not need to reset ntop data when you are done using ntop.
www.netequalizer.com Page 33 of 52
User Guide
editor, adding the commands included in the instructions below. Note: You must stop ntop before changing the time on your NetEqualizer. Otherwise ntop will not function to create graphs. If you have questions on this set up process, or would like to set up your NetEqualizer to use an Internet time server directly, please contact our Support Team at 303.997.1300 x102 or email support@apconnections.net. To Set Your NetEqualizer To Use Your NTP Time Server: 1. From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command touch /root/settime.sh;chmod a+x /root/settime.sh 2. Then, Click on ->Miscellaneous->Edit any text file /root/settime.sh 3. Put the following lines in the settime.sh file (which is currently blank) and then post the changes: /usr/sbin/ntpdate xx.xx.xx.xx /sbin/hwclock --localtime --systohc Where xx.xx.xx.xx is replaced with your actual ntp time server 4. Click on -> Miscellaneous->Edit any text file /root/crontab Change the line (by removing the two hash marks "##"): ## */5 * * * * /root/settime.sh to: */5 * * * * /root/settime.sh Post the changes to the file 5. From the Web GUI Main Menu, Click on ->Miscellaneous->Run a Command crontab /root/crontab 6. In order for this to persist on restarts, you must add to the autostart file as well. Click on ->Miscellaneous->Edit autostart On a new line right above the line that says thedate=`date`, add the following: crontab /root/crontab
www.netequalizer.com Page 34 of 52
User Guide
Tips and Tricks
This section of the User Guide contains some simple tips and tricks. For a list of Advanced Tips and Tricks, recommended for NetEqualizer power users, please click on the link to go to our NetEqualizer News blog site.
www.netequalizer.com Page 35 of 52
User Guide
they compensate by sending bigger packets, and then they die and restart. As a result of this effect, you may see jumpy traffic flows when running simple tests with certain applications. Fortunately, the applications that react this way are typically streaming music applications that are not bandwidth intensive. Most of them try to hold steady at 56kbs or so. Streams in this range should not hit the penalty radar like P2P traffic, and will flow through the NetEqualizer smoothly. You should keep this in mind if you are using streaming music (i.e., Real Player) when you do your early testing. As always, the NetEqualizer will attempt to slow the stream gracefully. However, an all or nothing traffic stream will drop off quickly and then try to restart.
Security Precautions
Note: If you have installed your NetEqualizer inside your firewall, this does not apply to you. This tip is for customers that need to install the NetEqualizer outside their firewall, on the public side of their internet pipe. Firewall rules are provided to prohibit unauthorized users from accessing the NetEqualizer IP and thus SSH access and the NetEqualizer Web GUI screen. To set up the NetEqualizer Firewall From the Web GUI Main Menu, Click on ->Firewall->Edit firewall rules file Below is a section of this file that appears on the NetEqualizer GUI admin screen in a default system before any firewall rules are set. You can follow the instructions included in the comments to set up your NetEqualizer Firewall. # Uncomment and edit the following lines to allow certain computers to access the GUI #/sbin/iptables -A INPUT -s 192.168.1.100 -j ACCEPT #/sbin/iptables -A INPUT -s 192.168.1.101 -j ACCEPT #/sbin/iptables -A INPUT -s 192.168.1.20 -j ACCEPT # # Uncomment the following line to tell the firewall to drop everything else not in the lines above #/sbin/iptables -A INPUT -p tcp -j DROP If the network admin always uses IP address 140.32.22.5 when accessing the system, you could limit access to NetEqualizer with the following changes. Notice we have removed the # characters to activate the firewall rules. # Uncomment and edit the following lines to allow certain computers to access the GUI /sbin/iptables -A INPUT -s 140.32.22.5 -j ACCEPT #/sbin/iptables -A INPUT -s 192.168.1.101 -j ACCEPT #/sbin/iptables -A INPUT -s 192.168.1.20 -j ACCEPT # # Uncomment the following line to tell the firewall to drop everything else not in the lines above /sbin/iptables -A INPUT -p tcp -j DROP
www.netequalizer.com Page 36 of 52
User Guide
Backing up your NetEqualizer Configuration
While we include a backup CF card with each NetEqualizer shipped, this does not contain your custom configuration settings. After you have made changes to your configuration, to save your new NetEqualizer configuration From the Web GUI Main Menu, Click on ->Miscellaneous->Save NetEq config To back up your configuration, Click on the "Download Config" button. Save the NetEq.cfg file to a backup location.
Failover
If you do not need full redundancy, but would like a failover solution to ensure that your network continues to function if your NetEqualizer goes down, you can configure a STPcapable switch to bypass the NetEqualizer. You can use your own switch or try our thirdparty STP-capable switch.
www.netequalizer.com Page 37 of 52
Unit
TRUNK_DOWN
HOGMIN
12000 For networks of size: (96 kilobits) <100Mb 12000 >=100Mb & <1Gb 20000 >=1Gb 40000 DEFAULT_RULES On/Off toggle On Leave at Default of "On". Turn off during installation if Must be "On" for you want to run throughput Equalizing to kick in. Uses tests. RATIO, HOGMIN, TRUNK_UP & TRUNK_DOWN to assess congestion.
BRAIN_SIZE
ANCIENT INACTIVE_TICS
10000
For networks of size: < 1Gb 10000 >=1Gb to <5Gb 20000 >=5Gb 30000 Rarely changed from Default value. 100-800
20
www.netequalizer.com Page 38 of 52
www.netequalizer.com Page 39 of 52
www.netequalizer.com Page 40 of 52
www.netequalizer.com Page 41 of 52
www.netequalizer.com Page 42 of 52
information about a user by capturing and sending IP communications in real time to a third party. Communication may be captured by headers or headers and content. We provide basic descriptive tags identifying headers, data, and time stamps, along with HEX or ASCII representation of content data.
Note: The NetEqualizer does not do any analysis of the data. We are only providing a probe function.
CALEA Compliance
As best we can tell at this time, there is no one government agency that can fully declare our technology CALEA compliant. However, we do pledge to work with our customers should they be faced with a warrant for information to adjust and even customize our solution; however additional consulting fees may apply. Although the law (see CALEA sections 103 and 107(a)(2)) is fairly specific on what needs to be done, the how is not addressed to any level of detail to which we can engineer our solution. We believe that the law and specifications on "how" to deliver to a law enforcement agency are somewhat ambiguous. The FBI has created some detailed specifications, but the reality is that there are some 40,000 law enforcement agencies, and they are each given autonomy on how they receive data. We do provide samples (see below) on how to receive NetEqualizer-captured data on a third party server, but are unable to guarantee definite compliance with any specific agency. Many people are following the ATIS specification which was put forth by the FBI, and we have read and attempted to comply with the probe portion of that specification. But, the reality is that there is no one agency given the authority to test a solution and bless it as compliant. So, if faced with a warrant for information, the law enforcement agency in charge may indeed want something in a slightly different format. If this is the case, contact our Support Team at support@apconnections.net or 303.997.1300 x102 for help in complying. Please note that as the CALEA module is not covered under NSS, consulting charges may apply. Additional information on CALEA itself can be found at http://www.askcalea.org.
www.netequalizer.com Page 43 of 52
www.netequalizer.com Page 44 of 52
The NAC module is priced as a separate option, and runs concurrently on most standard NetEqualizer appliances. When activated, it will force unknown users to login for access to your network. The NAC module will not run unless it is factory-enabled. If you have an older system and wish to upgrade, contact our Support Team at support@apconnections.net or 303.997.1300 x102, and they can help you determine if NAC can be enabled on your system. There are two ways to restrict access to your network using the NAC module. 1. Manual Account Creation Administrators of the NetEqualizer can manually create accounts for users through
www.netequalizer.com Page 45 of 52
www.netequalizer.com Page 46 of 52
www.netequalizer.com Page 47 of 52
Usage: quota_create 102.20.20.2/24 Will cause the NetEqualizer to start tracking data for a block (subnet) of IP addresses in the range 10.20.20.0 through 10.20.20.255. ______________________________________________________________________
quota_remove
Usage: /art/quota/quota_remove 102.20.20.2/24 Will remove a block of IP addresses from the quota system.
Note: You must use the exact same IP address and mask to remove a block as was used
Usage: /art/quota/quota_set_alarm 102.20.20.2/17 <down limit> <up limit> Will set an alarm when an IP address reaches a defined limit. Alarm notifications will be reported in the log /tmp/quotalog see the sample programs below for usage.
Note: All IPs in the subnet range will get flagged when/if they reach the defined limit.
The limits are in bytes transferred. Alarm notifications are reported in the quotalog /tmp/quotalog see example below. ______________________________________________________________________
quota_remove_alarm
Usage: /art/quota/quota_remove_alarm 102.20.20.2/17 Will remove all alarms in effect on the specified subnet. Note: The subnet specification must match exactly the format used when the alarm was created -- same exact IP address and same exact mask.
APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.
www.netequalizer.com Page 48 of 52
Will reset the usage counters for the specified subnet range ______________________________________________________________________
quota_status_ip
Usage: /art/quota/quota_status_ip 102.20.20.2/24 Will show the current usage byte count for the specified IPs in the range and display this on the console. The usage counters must be initiated with quota_create command. Will also put usage statistics to the default log /tmp/quotalog. ______________________________________________________________________
quota_rules
Usage: /art/ADD_CONFIG HARD <ip> <down> <up><subnet mask> <burst factor> Used to set rate limits on IP's, which would be the normal response should a user exceed their quota. Parameter definitions: HARD <ip> <down> <up> Constant that specifies the type of operation. In this case HARD indicates "hard limit". The IP address in format x.x.x.x Is the specified max download (inbound) transfer speed for this ip in BYTES per second, this is not kbs. Is the specified upload (outbound) transfer speed in BYTES per second
<subnet mask> Specifies the subnet mask for the IP address. For example, 24 would be the same as x.x.x.x/24 notation. However, for this command the mask is specified as a separate parameter. <burst factor> The last field in the command specifies the burst factor. Set this field to 1 (no bursting) or to a multiple greater than 1 (bursting). BURST FACTOR is multiplied times the <down> and <up> HARD LIMITs to arrive at the BURST LIMIT (default speed you wish to burst up to). For example 2Mbps <down> HARD LIMIT x 4 BURST FACTOR = 8Mbps <down> BURST LIMIT. _____________________________________________________________________
REMOVE_CONFIG
Usage:
Where x.x.x.x is the base IP address used in the ADD_CONFIG HARD command. No other parameters are necessary on the removal of the rule.
www.netequalizer.com Page 49 of 52
Usage: /tmp/quotalog Various status messages will get reported along with ALARMs and usage statistics _____________________________________________________________________
Note: This example assumes that you have Linux shell and Perl knowledge. From the command line of a running NetEqualizer: 1. First, start the quota server.
root@neteq:/art/quota# /art/quota/quota & [1] 29653 #
2. Then issue a command to start tracking byte counts on the local subnet. For this example, there is background network traffic running across a test NetEqualizer.
root@neteq:/art/quota# ./quota_create 192.168.1.143/24 Created 192.168.1.143/24 root@neteq:/art/quota#
This command told the quota server to start tracking bytes on the subnet 192.168.1.* 3. To see the transferred current byte count on an IP address, you can use the status_ip command.
root@neteq:/art/quota# ./quota_status_ip 192.168.1.143/24 Begin status for 192.168.1.143/24 status for 192.168.1.255 start time = Fri Apr 2 21:23:13 UTC 2010 current date time = Fri Apr 2 21:55:28 UTC 2010 Total bytes down = 65033 Total bytes up = 0 status for 192.168.1.119 start time = Fri Apr 2 21:54:50 UTC 2010 current date time = Fri Apr 2 21:55:28 UTC 2010 Total bytes down = 3234 Total bytes up = 4695 End of status for 192.168.1.143/24 root@neteq:/art/quota#
Yes, the output is a bit cryptic, but everything is there. For example, the start time and current time since the data collection started on each IP address (192.168.1.255 and 192.168.1.119) in the subnet. 4. Now let's say we wanted to do something useful when a byte count or quota was exceeded by a user. a. First, we would set up an alarm. root@neteq:/art/quota# ./quota_set_alarm 192.168.1.143/24 10000 10000
APconnections, Inc. // 303.997.1300 // Copyright 2010 APconnections, Inc.
www.netequalizer.com Page 50 of 52
First, save the perl script off to a file. In our example, we save it to a file /art/test c. Next, we will monitor the /tmp/quotalog for new alarms as they occur. When we find a new alarm, we will print the message "send an email to somebody important here". To actually send an email you would need to set up an email server and call the command line smtp command with your message. We did not go that far here. Here is how we use the test script to monitor the quotalog (where ALARM Messages get reported).
root@neteq:/art# tail -f /tmp/quotalog | ./test Log Reset ALARM 192.168.1.119 has exceeded up byte count of 160000 send an email to somebody important here ALARM 192.168.1.119 has exceeded down byte count of 190000 send an email to somebody important here ALARM 192.168.1.119 has exceeded up byte count of 170000 send an email to somebody important here ALARM 192.168.1.119 has exceeded down byte count of 200000 send an email to somebody important here ALARM 192.168.1.119 has exceeded up byte count of 180000 send an email to somebody important here ALARM 192.168.1.119 has exceeded down byte count of 210000
www.netequalizer.com Page 51 of 52
5. Now, what if we just want to see what quota rules are in effect? Here is a sequence where we create a couple of rules and show how you can status them. Note: There is a subtle difference between the command quota_rules and quota_status_ip. quota_rules will show all IP addresses with rules on them, whether they have active traffic or not. quota_status_ip shows IP addresses that are part of the rule and have active traffic (are actively counting bytes). A rule does not become active (show up in quota_status_ip) until there are actually bytes being transferred. root@neteq:/art/quota# ./quota_create 192.168.13.143/24 Created 192.168.13.143/24 root@neteq:/art/quota# ./quota_rules Active Quotas --------------192.168.13.143/24 Active Alarms ---------------root@neteq:/art/quota# ./quota_set_alarm 192.168.11.143/24 20000 20000 alarm block created for 192.168.11.143/24 root@neteq:/art/quota# ./quota_rules Active Quotas --------------192.168.13.143/24 Active Alarms ---------------192.168.11.0/24 root@neteq:/art/quota# That concludes the NetEqualizer User-Quota API (NUQ API) programmer's toolkit for now. We will be adding more examples and features in the near future. Please feel free to e-mail us at support@apconnections.net with feature requests and bug reports on this tool.
Note: You must have a current NSS to receive the NUQ-API toolkit software. It is not
www.netequalizer.com Page 52 of 52